Directory listing - TypeScript

Directory listing - TypeScript

Need

Prevention of unauthorized access to directory listings

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs
  • Usage of path for handling file and directory paths

Description

Non compliant code

        import express from 'express';
import path from 'path';

const app = express();

app.use(express.static(path.join(__dirname, 'public')));

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in the given code is the directory listing vulnerability. This vulnerability occurs because the code is using the express.static middleware without disabling the directory listing feature.

The express.static middleware is used to serve static files such as images, CSS, and JavaScript files. By default, if a request is made to a directory instead of a specific file, Express will automatically generate a directory listing page that displays the contents of that directory.

This can be a security risk because it allows an attacker to easily view the files and directories on the server. They can gather sensitive information about the application's structure, file names, and potentially access files that were not meant to be publicly accessible.

In the given code, the express.static middleware is used to serve the files in the 'public' directory. However, the directory listing feature is not disabled, so if an attacker sends a request to a directory within the 'public' directory, they will be able to see the contents of that directory.

To fix this vulnerability, the code should include the directory option in the express.static middleware and set it to false. This will disable the directory listing feature and prevent attackers from accessing the contents of directories.

Additionally, it is recommended to configure index files for directories. This means that instead of displaying a directory listing, the server should serve a specific file (e.g., index.html) when a directory is requested. This can be achieved by creating an index file for each directory or by using the index option in the express.static middleware to specify the default index file.

By disabling directory listing and configuring index files, the vulnerability can be mitigated, and sensitive information about the application and its files can be protected.

Steps

  • Disable directory listing in the server configuration
  • Remove the line 'app.use(express.static(path.join(__dirname, 'public')));'
  • Create an index file (e.g., index.html) in the 'public' directory to be shown when directories are loaded
  • Update the server configuration to serve the index file when a directory is requested

Compliant code

        import express from 'express';
import path from 'path';

const app = express();

app.use(express.static(path.join(__dirname, 'public')));

app.get('/', (req, res) => {
  res.sendFile(path.join(__dirname, 'public', 'index.html'));
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing measures to prevent directory listing.

First, the code imports the necessary modules, 'express' and 'path', which are used to create the server and handle file paths, respectively.

The code then creates an instance of the Express application and assigns it to the 'app' variable.

To prevent directory listing, the code uses the 'express.static' middleware provided by Express. This middleware serves static files from the 'public' directory, which is specified using the 'path.join' function. By serving only the static files, the code ensures that directory listing is disabled.

The code also sets up a route for the root URL ('/') using the 'app.get' method. When a request is made to the root URL, the code sends the 'index.html' file located in the 'public' directory using the 'res.sendFile' method. This ensures that the 'index.html' file is served as the default file when accessing the root URL.

Finally, the code starts the server on port 3000 using the 'app.listen' method and logs a message to the console to indicate that the server is running.

By disabling directory listing and specifying an index file, the fixed code mitigates the vulnerability and prevents an attacker from obtaining sensitive information about the server's files and directories.

References